reference deployment

Cisco Secure Firewall Cloud Native on AWS

Provision, run, and scale containerized Cisco security services

This Partner Solution deploys Cisco Secure Firewall Cloud Native to the Amazon Web Services (AWS) Cloud. This deployment extends Cisco security to the cloud using Amazon Elastic Kubernetes Service (Amazon EKS), which runs the Kubernetes management infrastructure that automates tasks such as patching, node provisioning, and updates. 

This Partner Solution is for organizations with remote workers and multitenant environments. For more information, refer to Cisco Secure Firewall Cloud Native.

Cisco logo

This Partner Solution was developed by Cisco in collaboration with AWS. Cisco is an AWS Partner.

  •  What you'll build
  • This Partner Solution sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • Amazon Route 53 for virtual private network (VPN) load balancing and Cloud Native Firewall (CNFW) health monitoring.
    • Amazon EKS for Kubernetes orchestration of the Cisco Secure Firewall cluster, including the Redirector, Control Point, and Enforcement Point.
    • Amazon Elastic File Service (Amazon EFS) for elastic file systems for the Control Point and Enforcement Point.
    • Amazon ElastiCache for Redis to store information on VPN sessions. The Redirector pod uses this information for load balancing and recovery.
    • In the public subnets:
      • Secure Firewall Cloud Native Redirector for load balancing of remote access VPN traffic.
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • Secure Firewall Cloud Native Control Point in an Auto Scaling group for configuration validation, licensing, and route management.
      • Secure Firewall Cloud Native Enforcement Point for termination of VPN sessions and forwarding of traffic.
      • CNFW Elastic Network Interfaces (ENI) in an Auto Scaling group.
    • In the private subnets:
      • CNFW ENIs in an Auto Scaling group.

    *  The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this Partner Solution, follow the instructions in the deployment guide, which includes these steps. The stack takes about 50 minutes to launch.

    1. Sign in to your AWS account. If you don't have an account, sign up at
    2. Subscribe to Cisco Secure Firewall Cloud Native BYOL on AWS Marketplace.
    3. Launch the Partner Solution. Choose the Region from the top toolbar before creating the stack. You can choose from the following options:
    4. Test the deployment.
    5. Complete postdeployment steps.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • This Partner Solution requires a Cisco Secure Firewall Cluster license to deploy more than one Cloud Native Firewall Cluster enforcement point limited to 100 Kbps. To obtain a license, refer to Cisco Software Central. This Partner Solution also requires a subscription to Cisco Secure Firewall Cloud Native BYOL on AWS Marketplace.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this Partner Solution reference deployment. There is no additional cost for using this Partner Solution.

    The AWS CloudFormation templates for this Partner Solution include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Partner Solution, create AWS Cost and Usage Reports to track costs associated with the Partner Solution. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, refer to  What are AWS Cost and Usage Reports?